Ride-sharing service operator Uber revealed two hackers accessed the personal data of 57 million of its users and drivers more than a year ago.
Uber disclosed the breach today despite having known about it since the incident occurred in October 2016. It made the disclosure as Bloomberg published details of the breach.
The data that was stolen by the two unnamed hackers included the names, email addresses and mobile phone numbers of its customers globally, as well as names and drivers licence numbers of 600,000 US-based drivers.
Uber said it had no evidence that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were also taken.
The attackers managed to gain access into the private Github repository of Uber software developers and use the credentials within to access data stored on an Amazon Web Services server.
CEO Dara Khosrowshahi revealed Uber had managed to track down the two hackers and "obtained assurances" that they had deleted the downloaded data.
Bloomberg reported that the company paid the hackers US$100,000 to delete the information and keep quiet.
"We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts," Khosrowshahi said.
"None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.
"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Khosrowshahi deflected responsibility for the year-long delay in notifying its drivers and users of the hack onto his security team.
He said two people who had led the response to the incident had been sacked from the company - Bloomberg reported the two as Uber chief security officer Joe Sullivan and one of his deputies.
"I had the same question [why Uber took a year to notify], so I immediately asked for a thorough investigation of what happened and how we handled it," he said.
"What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions."
He has asked former general counsel of the NSA Matt Olsen to "help me think through how best to guide and structure our security teams and processes going forward".
Khosrowshahi said the company did not believe users or drivers needed to take any action to safeguard their personal information.
He said Uber was notifying affected drivers individually of the incident and offering them free credit monitoring and identity theft protection.
"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," he said.